Secret Backdoor Plugin

Update: The sale for the save-your-bacon Secret Backdoor plugin is now live at just $10.00 for the first 36 hours.

It will then rise to $12.50 for the duration of the sale.

Buy now


The back door plugin has been designed to manage and generate small scripts you can download and then upload to all your sites and all your client sites too.


These small scripts enable you to create a WP admin account on sites where you may have had your access removed for one reason or another such as a hack attack. If it’s a hack, you could either leave the script there the whole time, or upload it by FTP after the “event” and then call it from your browser to re-enable access to the WP admin panel.


As another example, if you have a non-paying client that has removed access to the site you’ve been working on, you can use it to regain access by creating a new admin account and then remove the work you’ve done until the client pays you.

I’m sure this situation has happened to many web developers and consultants.

In this case you would have to place the script on the site as a precautionary measure beforehand.

Once you need to regain access to the site, you simply call the script in your web browser and you’ll see a simple form where you add your new username and email address plus the password you want to use for the new account, and also (most importantly) the secret key.  Without the secret key you won’t be able to create the new account – you should make sure that the secret key is something that’s isn’t easily guessable.


Finally, it could also be used to temporarily create an admin account where a customer has asked you to look at their WordPress site but has only given you the FTP login details.

It happens, believe me!  😉

Because this plugin is a joint venture between Glen and I, it won’t be available in the Plugin Great members area, sorry.

If you’re a PG member, don’t worry I’ve got some other cool plugins in the final stages.  🙄

I’m sure once you see how it can save your bacon that you’ll want to add it to your arsenal.

Frank Haywood

Posted by Frank Haywood


Gary Jenkins

Great plugin Frank. Just what I’ve been waiting for. I have a membership site that includes a plugin that is installed on clients sites. With this I can make sure that if they stop being a client the plugin is removed.


Frank Haywood

Hi Gary,

I hadn’t even thought of that usage, but I like it as it gives you an additional layer of control over your property.

Nobody wants relationships to go bad but sometimes it happens at the most surprising of times, and being able to withdraw your work until you’re paid for it is I think very important for any business.


Wow – I’ve been excited about this since I first got the notice. Anybody that does offline services could use this – can’t wait!!!!!!!!!!!


P.S. I said a prayer that the “product gremlins” would stay away from this launch today. Hope it works out.

Kevin Baker

Brilliant idea Frank.

Wished I had this last October. I designed a site for a client and she deleted my access before paying me so now i’m hooped. now it will never happen again will it!!

Thanks for creating this because its brilliant.


Frank Haywood

Hi Kevin,

Yep unfortunately this happens to everyone in the business sooner or later. And it can get drawn out and tiresome if you have to rely on small claims court to get paid and even then there’s no guarantee you will. At least now you’ll be able to remove the work you’ve done if you don’t get paid for it. Someone I know who used a similar method got paid within an hour of removing the work after repeated reminders for payment.


Hey Frank, I just purchased this wonderful Plugin, but I am a just little concerned about hackers.

You said I can use this Plugin to regain control AFTER my Site has been hacked.

My concern is this: what if a hacker purchases this Plugin from you and uses it to hack one of my sites? (I am also guessing this Plugin will become very popular on the Black Hat Sites.)

Of course I use 14 character nonsense passwords like this one


to protect my WordPress and totally different 14 character nonsense passwords to protect my cPanel installations.

But are there any other ways to protect myself against hackers using this wonderful Plugin to hack my sites?

I have always thought about how nice it would be to have a hidden Admin Username and Password which would give me access to a site after a client has locked me out and not paid me for my work.

Maybe this is the Plugin I had in mind and I just didn’t know it. LOL =)

All I know is I am going to feel a lot more comfortable giving my clients Admin Access, knowing that your Plugin is now available.

Thank you for all your hard work! Keep coming up with these innovative ideas!


Frank Haywood

Hi Edward,

It’s okay this isn’t hacking tool. 🙂

If you don’t already have access by FTP OR you had it at one point and you uploaded the backdoor script the plugin generates, then this won’t work. You couldn’t go to any WordPress site and get in – you must have at least FTP access.

I think this *is* the plugin you had in mind. 🙄

What this does is makes it far easier to get back into WordPress. “Traditionally” to get back into WordPress you’d have use phpMyAdmin and amend the database manually to an encoded password that you already knew worked. It’s fiddly. You can mess up big time if you get it wrong.

This takes all the real techy bit out and makes it easier to get back into the site. 🙂


Ok I guess that is my question then.

Is there any way to to keep a hacker from gaining FTP access to my cPanel, other than using those nonsense 14 character passwords?

Any other security secrets you might know?


Frank Haywood

Hi Edward,

No secrets that I know of unless it’s something other people don’t know and I haven’t realised. 🙄

There are plenty of security plugins out there that can help to make you feel safer and protect you against the script kiddies, but I don’t think any site will withstand a genuine hack attempt by real hackers.

Just keep it real, and take backups against the time that disaster happens.


I’m in! And a HUGE Thank You for the tip on Instant WP! There was a guy on the WF selling a similar product for around $70 U.S., and this does the same thing and more, is easier to use, and it’s free! Can’t beat that!

And as Secret Backdoor Plugin is from you and not some one-hit-wonder on the WF, I know it will be supported over the long hall. BTW, I think you could easily be selling SBP for $47 or more – although I’m not complaining about $10 AND personal use + client rights!

Thanks again,

Frank Haywood

Hi Maury,

You’re welcome and yep Instant WP is pretty good. At first I thought you could only run a single instance of Instant WP at a time which made the paid one better because it was multiple usage.


It seems you can just create copies of Instant WP and every time you run it, it creates a localhost instance of WP on a different port – I found that out by accident when I ran the copy to see what would happen and then ran the original too to see if it all crashed. I was pleasantly surprised to see it didn’t.

Instant WP probably isn’t as slick as the paid one, but for free you can’t really complain. 😉

I’ve had some thoughts on SBP – I reckon we could build a simple FTP client into the plugin that would connect and write the script out too. It *might* be fiddly, so we’ll have to see how it can be done.


Patrick Bardet

Hi Franck,
In the case of a hack, and the database erased or destroyed, we never could access to the admin again. So before, we should have a saved db, then rollback the db, will the script work well ?



Frank Haywood

Hi Patrick,

Yes. But if you already had a recent backup of the database and you were rolling it back, then you’d be able to log in as normal anyway as it would still contain your old password. The site files might be deleted or amended but the database is probably the 95% of your site that isn’t replaceable.

The trick is to regularly backup the database AND occasionally the files that make up your site. There’s a free plugin that will regularly backup your database called WP-DBManager by Lester Chan that’s quite good.


Gary Jenkins


I haven’t tested this yet, but can the uploaded file be installed in a sub directory like the plugin directory?


Frank Haywood

Hi Gary,

I haven’t tested that either, but my first guess is it can’t. Good point though.

I’ll have a word with Glen and see if we can’t get that ability added. It would be nice to tuck it away in the admin folder wouldn’t it? 😉


Gary Jenkins

I just tried it and no it didn’t work. If that could be added it would be great.

Another feature that would be nice is if you could delete the file once you’ve done what you needed to do. It being in the wp root I don’t see a way to get rid of the file.


Frank Haywood

Hi Gary,

Okay, so if we add a check box to optionally delete the file once in – that should do it? I guess in practice you’d visit the script once to log in and then once you’re sure you’re in, visit it again and check the box to delete it.


I second the request to upload the file deep within WordPress someplace. Make the hackers work for their supper. LOL

Frank Haywood

Hi Edward,

Yep, we’re going to do this as it’s a good idea. 🙂